Token del portador de HTTP

Muestra cómo realizar solicitudes HTTP autenticadas por Google Cloud.

Explora más

Para obtener documentación en la que se incluye esta muestra de código, consulta lo siguiente:

Muestra de código


#include <google/cloud/functions/http_request.h>
#include <google/cloud/functions/http_response.h>
#include <google/cloud/storage/oauth2/google_credentials.h>
#include <curl/curl.h>
#include <cstdlib>
#include <optional>
#include <sstream>
#include <stdexcept>
#include <string>

namespace gcf = ::google::cloud::functions;

namespace {
/// A helper function to perform an HTTP GET request.
gcf::HttpResponse HttpGet(std::string const& url,
                          std::string const& authorization_header);
}  // namespace

gcf::HttpResponse bearer_token(gcf::HttpRequest request) {  // NOLINT
  static auto const kTargetUrl = [] {
    auto const* target_url = std::getenv("TARGET_URL");
    if (target_url != nullptr) return std::string(target_url);
    throw std::runtime_error("TARGET_URL environment variable is not defined");

  static auto const kCredentials = [] {
    auto credentials =
    if (credentials) return std::move(credentials).value();
    std::ostringstream os;
    os << "Error fetching credentials: " << std::move(credentials).status();
    throw std::runtime_error(std::move(os).str());

  static auto const kCurlInit = [] {
    return curl_global_init(CURL_GLOBAL_ALL);

  if ( == "/no-auth-header") return HttpGet(kTargetUrl, "");

  auto header = kCredentials->AuthorizationHeader();
  if (header) return HttpGet(kTargetUrl, *header);

  std::ostringstream os;
  os << "Error creating authorization header: " << std::move(header).status();
  throw std::runtime_error(std::move(os).str());


import (


// `makeGetRequest` makes a request to the provided `targetURL`
// with an authenticated client using audience `audience`.
func makeGetRequest(w io.Writer, targetURL string, audience string) error {
	// For Cloud Functions, endpoint (`serviceUrl`) and `audience` are the same.
	// Example `audience` value (Cloud Functions): https://<PROJECT>-<REGION>-<PROJECT_ID>
	// (`targetURL` and `audience` will differ for GET parameters)
	ctx := context.Background()

	// client is a http.Client that automatically adds an "Authorization" header
	// to any requests made.
	client, err := idtoken.NewClient(ctx, audience)
	if err != nil {
		return fmt.Errorf("idtoken.NewClient: %v", err)

	resp, err := client.Get(targetURL)
	if err != nil {
		return fmt.Errorf("client.Get: %v", err)
	defer resp.Body.Close()
	if _, err := io.Copy(w, resp.Body); err != nil {
		return fmt.Errorf("io.Copy: %v", err)

	return nil



public class Authentication {

  // makeGetRequest makes a GET request to the specified Cloud Run or
  // Cloud Functions endpoint `serviceUrl` (must be a complete URL), by
  // authenticating with an ID token retrieved from Application Default
  // Credentials using the specified `audience`.
  // For Cloud Functions, endpoint (`serviceUrl`) and `audience` are the same.
  // Example `audience` value (Cloud Functions):
  public static HttpResponse makeGetRequest(String serviceUrl, String audience) throws IOException {
    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
    if (!(credentials instanceof IdTokenProvider)) {
      throw new IllegalArgumentException("Credentials are not an instance of IdTokenProvider.");
    IdTokenCredentials tokenCredential =
            .setIdTokenProvider((IdTokenProvider) credentials)

    GenericUrl genericUrl = new GenericUrl(serviceUrl);
    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
    HttpTransport transport = new NetHttpTransport();
    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
    return request.execute();


 * TODO(developer): Uncomment these variables before running the sample.
// Example:
// const url = 'https://TARGET_HOSTNAME/TARGET_URL';

// Example (Cloud Functions):
// const targetAudience = 'https://TARGET_AUDIENCE/';
const {GoogleAuth} = require('google-auth-library');
const auth = new GoogleAuth();

async function request() {`request ${url} with target audience ${targetAudience}`);
  const client = await auth.getIdTokenClient(targetAudience);
  const res = await client.request({url});;

request().catch(err => {
  process.exitCode = 1;


import urllib

import google.auth.transport.requests
import google.oauth2.id_token

def make_authorized_get_request(endpoint, audience):
    make_authorized_get_request makes a GET request to the specified HTTP endpoint
    by authenticating with the ID token obtained from the google-auth client library
    using the specified audience value.

    # Cloud Functions uses your function's URL as the `audience` value
    # audience =
    # For Cloud Functions, `endpoint` and `audience` should be equal

    req = urllib.request.Request(endpoint)

    auth_req = google.auth.transport.requests.Request()
    id_token = google.oauth2.id_token.fetch_id_token(auth_req, audience)

    req.add_header("Authorization", f"Bearer {id_token}")
    response = urllib.request.urlopen(req)


¿Qué sigue?

Para buscar y filtrar muestras de código para otros productos de Google Cloud, consulta el navegador de muestra de Google Cloud.